samba/backport-0042-CVE-2022-37966.patch

From 7a22f4b56cb75473e63673bd975f6b852c15bc03 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 29 Nov 2022 09:48:09 +0100
Subject: [PATCH 42/54] CVE-2022-37966 python:tests/krb5: fix some tests
 running against Windows 2022

I'm using the following options:

SERVER=172.31.9.218 DC_SERVER=w2022-118.w2022-l7.base \
SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 \
DOMAIN=W2022-L7 REALM=W2022-L7.BASE \
ADMIN_USERNAME=Administrator ADMIN_PASSWORD=A1b2C3d4 \
CLIENT_USERNAME=Administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=2 \
FULL_SIG_SUPPORT=1 TKT_SIG_SUPPORT=1 FORCED_RC4=1

in order to run these:

python/samba/tests/krb5/as_req_tests.py -v --failfast AsReqKerberosTests
python/samba/tests/krb5/etype_tests.py -v --failfast EtypeTests

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e0f89b7bc8025db615dccf096aab4ca87e655368)

Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
 python/samba/tests/krb5/as_req_tests.py  | 19 +++++++++++++++----
 python/samba/tests/krb5/kdc_base_test.py |  9 +++++++++
 python/samba/tests/krb5/raw_testcase.py  | 18 +++++++++++++++---
 3 files changed, 39 insertions(+), 7 deletions(-)

diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py
index 6b3b5ad4a226..22e5e373c51b 100755
--- a/python/samba/tests/krb5/as_req_tests.py
+++ b/python/samba/tests/krb5/as_req_tests.py
@@ -47,6 +47,7 @@ class AsReqBaseTest(KDCBaseTest):
                                   expected_cname=None, sname=None,
                                   name_type=NT_PRINCIPAL, etypes=None,
                                   expected_error=None, expect_edata=None,
+                                  expected_pa_error=None, expect_pa_edata=None,
                                   kdc_options=None, till=None):
         user_name = client_creds.get_username()
         if client_account is None:
@@ -125,6 +126,8 @@ class AsReqBaseTest(KDCBaseTest):
 
         preauth_padata = [pa_ts]
         preauth_error_mode = 0 # AS-REP
+        if expected_pa_error is not None:
+            preauth_error_mode = expected_pa_error
 
         krbtgt_decryption_key = (
             self.TicketDecryptionKey_from_creds(krbtgt_creds))
@@ -146,6 +149,7 @@ class AsReqBaseTest(KDCBaseTest):
             kdc_options,
             expected_supported_etypes=krbtgt_supported_etypes,
             expected_account_name=user_name,
+            expect_edata=expect_pa_edata,
             preauth_key=preauth_key,
             ticket_decryption_key=krbtgt_decryption_key,
             pac_request=True)
@@ -512,10 +516,17 @@ class AsReqKerberosTests(AsReqBaseTest):
             name_type=NT_SRV_INST,
             names=[krbtgt_account, realm])
 
-        self._run_as_req_enc_timestamp(
-            client_creds,
-            sname=wrong_krbtgt_princ,
-            expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN)
+        if self.strict_checking:
+            self._run_as_req_enc_timestamp(
+                client_creds,
+                sname=wrong_krbtgt_princ,
+                expected_pa_error=KDC_ERR_S_PRINCIPAL_UNKNOWN,
+                expect_pa_edata=False)
+        else:
+            self._run_as_req_enc_timestamp(
+                client_creds,
+                sname=wrong_krbtgt_princ,
+                expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN)
 
     # Test that we can make a request for a ticket expiring post-2038.
     def test_future_till(self):
diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index e92049a2ecda..beefd1654494 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -53,6 +53,11 @@ from samba.dsdb import (
     UF_SERVER_TRUST_ACCOUNT,
     UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
 )
+from samba.dcerpc.misc import (
+    SEC_CHAN_NULL,
+    SEC_CHAN_WKSTA,
+    SEC_CHAN_BDC,
+)
 from samba.join import DCJoinContext
 from samba.ndr import ndr_pack, ndr_unpack
 from samba import net
@@ -292,6 +297,7 @@ class KDCBaseTest(RawKerberosTest):
         # run failed
         delete_force(samdb, dn)
         account_name = name
+        secure_schannel_type = SEC_CHAN_NULL
         if account_type is self.AccountType.USER:
             object_class = "user"
             account_control |= UF_NORMAL_ACCOUNT
@@ -301,8 +307,10 @@ class KDCBaseTest(RawKerberosTest):
                 account_name += '$'
             if account_type is self.AccountType.COMPUTER:
                 account_control |= UF_WORKSTATION_TRUST_ACCOUNT
+                secure_schannel_type = SEC_CHAN_WKSTA
             elif account_type is self.AccountType.SERVER:
                 account_control |= UF_SERVER_TRUST_ACCOUNT
+                secure_schannel_type = SEC_CHAN_BDC
             else:
                 self.fail()
 
@@ -343,6 +351,7 @@ class KDCBaseTest(RawKerberosTest):
             creds.set_workstation('')
         else:
             creds.set_workstation(name)
+        creds.set_secure_channel_type(secure_schannel_type)
         creds.set_dn(ldb.Dn(samdb, dn))
         creds.set_upn(upn)
         creds.set_spn(spn)
diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py
index f13ada7bbf83..d601c7bb5018 100644
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -41,6 +41,10 @@ from samba.credentials import Credentials
 from samba.dcerpc import krb5pac, security
 from samba.gensec import FEATURE_SEAL
 from samba.ndr import ndr_pack, ndr_unpack
+from samba.dcerpc.misc import (
+    SEC_CHAN_WKSTA,
+    SEC_CHAN_BDC,
+)
 
 import samba.tests
 from samba.tests import TestCaseInTempDir
@@ -484,7 +488,8 @@ class KerberosCredentials(Credentials):
         else:
             salt_name = self.get_username()
 
-        if self.get_workstation():
+        secure_schannel_type = self.get_secure_channel_type()
+        if secure_schannel_type in [SEC_CHAN_WKSTA,SEC_CHAN_BDC]:
             salt_name = self.get_username().lower()
             if salt_name[-1] == '$':
                 salt_name = salt_name[:-1]
@@ -2934,7 +2939,7 @@ class RawKerberosTest(TestCaseInTempDir):
                 else:
                     self.assertElementMissing(ticket_private, 'renew-till')
             if self.strict_checking:
-                self.assertElementEqual(ticket_private, 'caddr', [])
+                self.assertElementMissing(ticket_private, 'caddr')
             if expect_pac is not None:
                 if expect_pac:
                     self.assertElementPresent(ticket_private,
@@ -2988,7 +2993,7 @@ class RawKerberosTest(TestCaseInTempDir):
             self.assertElementEqualPrincipal(encpart_private, 'sname',
                                              expected_sname)
             if self.strict_checking:
-                self.assertElementEqual(encpart_private, 'caddr', [])
+                self.assertElementMissing(encpart_private, 'caddr')
 
             sent_pac_options = self.get_sent_pac_options(kdc_exchange_dict)
 
@@ -3441,6 +3446,13 @@ class RawKerberosTest(TestCaseInTempDir):
                                 kcrypto.Enctype.AES128}:
                 expected_patypes += (PADATA_ETYPE_INFO2,)
 
+            preauth_key = kdc_exchange_dict['preauth_key']
+            if preauth_key.etype == kcrypto.Enctype.RC4 and rep_padata is None:
+                rep_padata = ()
+        elif rep_msg_type == KRB_TGS_REP:
+            if expected_patypes == () and rep_padata is None:
+                rep_padata = ()
+
         if not self.strict_checking and rep_padata is None:
             rep_padata = ()
 
-- 
2.34.1
fix CVE-2022-38023 CVE-2022-37966 CVE-2022-37967 2022-12-29 07:17:40 +00:00			`From 7a22f4b56cb75473e63673bd975f6b852c15bc03 Mon Sep 17 00:00:00 2001`
			`From: Stefan Metzmacher <metze@samba.org>`
			`Date: Tue, 29 Nov 2022 09:48:09 +0100`
			`Subject: [PATCH 42/54] CVE-2022-37966 python:tests/krb5: fix some tests`
			`running against Windows 2022`

			`I'm using the following options:`

			`SERVER=172.31.9.218 DC_SERVER=w2022-118.w2022-l7.base \`
			`SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 \`
			`DOMAIN=W2022-L7 REALM=W2022-L7.BASE \`
			`ADMIN_USERNAME=Administrator ADMIN_PASSWORD=A1b2C3d4 \`
			`CLIENT_USERNAME=Administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=2 \`
			`FULL_SIG_SUPPORT=1 TKT_SIG_SUPPORT=1 FORCED_RC4=1`

			`in order to run these:`

			`python/samba/tests/krb5/as_req_tests.py -v --failfast AsReqKerberosTests`
			`python/samba/tests/krb5/etype_tests.py -v --failfast EtypeTests`

			`BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237`

			`Signed-off-by: Stefan Metzmacher <metze@samba.org>`
			`Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>`
			`Reviewed-by: Andrew Bartlett <abartlet@samba.org>`
			`(cherry picked from commit e0f89b7bc8025db615dccf096aab4ca87e655368)`

			`Conflict: NA`
			`Reference: https://attachments.samba.org/attachment.cgi?id=17695`
			`---`
			`python/samba/tests/krb5/as_req_tests.py \| 19 +++++++++++++++----`
			`python/samba/tests/krb5/kdc_base_test.py \| 9 +++++++++`
			`python/samba/tests/krb5/raw_testcase.py \| 18 +++++++++++++++---`
			`3 files changed, 39 insertions(+), 7 deletions(-)`

			`diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py`
			`index 6b3b5ad4a226..22e5e373c51b 100755`
			`--- a/python/samba/tests/krb5/as_req_tests.py`
			`+++ b/python/samba/tests/krb5/as_req_tests.py`
			`@@ -47,6 +47,7 @@ class AsReqBaseTest(KDCBaseTest):`
			`expected_cname=None, sname=None,`
			`name_type=NT_PRINCIPAL, etypes=None,`
			`expected_error=None, expect_edata=None,`
			`+ expected_pa_error=None, expect_pa_edata=None,`
			`kdc_options=None, till=None):`
			`user_name = client_creds.get_username()`
			`if client_account is None:`
			`@@ -125,6 +126,8 @@ class AsReqBaseTest(KDCBaseTest):`

			`preauth_padata = [pa_ts]`
			`preauth_error_mode = 0 # AS-REP`
			`+ if expected_pa_error is not None:`
			`+ preauth_error_mode = expected_pa_error`

			`krbtgt_decryption_key = (`
			`self.TicketDecryptionKey_from_creds(krbtgt_creds))`
			`@@ -146,6 +149,7 @@ class AsReqBaseTest(KDCBaseTest):`
			`kdc_options,`
			`expected_supported_etypes=krbtgt_supported_etypes,`
			`expected_account_name=user_name,`
			`+ expect_edata=expect_pa_edata,`
			`preauth_key=preauth_key,`
			`ticket_decryption_key=krbtgt_decryption_key,`
			`pac_request=True)`
			`@@ -512,10 +516,17 @@ class AsReqKerberosTests(AsReqBaseTest):`
			`name_type=NT_SRV_INST,`
			`names=[krbtgt_account, realm])`

			`- self._run_as_req_enc_timestamp(`
			`- client_creds,`
			`- sname=wrong_krbtgt_princ,`
			`- expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN)`
			`+ if self.strict_checking:`
			`+ self._run_as_req_enc_timestamp(`
			`+ client_creds,`
			`+ sname=wrong_krbtgt_princ,`
			`+ expected_pa_error=KDC_ERR_S_PRINCIPAL_UNKNOWN,`
			`+ expect_pa_edata=False)`
			`+ else:`
			`+ self._run_as_req_enc_timestamp(`
			`+ client_creds,`
			`+ sname=wrong_krbtgt_princ,`
			`+ expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN)`

			`# Test that we can make a request for a ticket expiring post-2038.`
			`def test_future_till(self):`
			`diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py`
			`index e92049a2ecda..beefd1654494 100644`
			`--- a/python/samba/tests/krb5/kdc_base_test.py`
			`+++ b/python/samba/tests/krb5/kdc_base_test.py`
			`@@ -53,6 +53,11 @@ from samba.dsdb import (`
			`UF_SERVER_TRUST_ACCOUNT,`
			`UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION`
			`)`
			`+from samba.dcerpc.misc import (`
			`+ SEC_CHAN_NULL,`
			`+ SEC_CHAN_WKSTA,`
			`+ SEC_CHAN_BDC,`
			`+)`
			`from samba.join import DCJoinContext`
			`from samba.ndr import ndr_pack, ndr_unpack`
			`from samba import net`
			`@@ -292,6 +297,7 @@ class KDCBaseTest(RawKerberosTest):`
			`# run failed`
			`delete_force(samdb, dn)`
			`account_name = name`
			`+ secure_schannel_type = SEC_CHAN_NULL`
			`if account_type is self.AccountType.USER:`
			`object_class = "user"`
			`account_control \|= UF_NORMAL_ACCOUNT`
			`@@ -301,8 +307,10 @@ class KDCBaseTest(RawKerberosTest):`
			`account_name += '$'`
			`if account_type is self.AccountType.COMPUTER:`
			`account_control \|= UF_WORKSTATION_TRUST_ACCOUNT`
			`+ secure_schannel_type = SEC_CHAN_WKSTA`
			`elif account_type is self.AccountType.SERVER:`
			`account_control \|= UF_SERVER_TRUST_ACCOUNT`
			`+ secure_schannel_type = SEC_CHAN_BDC`
			`else:`
			`self.fail()`

			`@@ -343,6 +351,7 @@ class KDCBaseTest(RawKerberosTest):`
			`creds.set_workstation('')`
			`else:`
			`creds.set_workstation(name)`
			`+ creds.set_secure_channel_type(secure_schannel_type)`
			`creds.set_dn(ldb.Dn(samdb, dn))`
			`creds.set_upn(upn)`
			`creds.set_spn(spn)`
			`diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py`
			`index f13ada7bbf83..d601c7bb5018 100644`
			`--- a/python/samba/tests/krb5/raw_testcase.py`
			`+++ b/python/samba/tests/krb5/raw_testcase.py`
			`@@ -41,6 +41,10 @@ from samba.credentials import Credentials`
			`from samba.dcerpc import krb5pac, security`
			`from samba.gensec import FEATURE_SEAL`
			`from samba.ndr import ndr_pack, ndr_unpack`
			`+from samba.dcerpc.misc import (`
			`+ SEC_CHAN_WKSTA,`
			`+ SEC_CHAN_BDC,`
			`+)`

			`import samba.tests`
			`from samba.tests import TestCaseInTempDir`
			`@@ -484,7 +488,8 @@ class KerberosCredentials(Credentials):`
			`else:`
			`salt_name = self.get_username()`

			`- if self.get_workstation():`
			`+ secure_schannel_type = self.get_secure_channel_type()`
			`+ if secure_schannel_type in [SEC_CHAN_WKSTA,SEC_CHAN_BDC]:`
			`salt_name = self.get_username().lower()`
			`if salt_name[-1] == '$':`
			`salt_name = salt_name[:-1]`
			`@@ -2934,7 +2939,7 @@ class RawKerberosTest(TestCaseInTempDir):`
			`else:`
			`self.assertElementMissing(ticket_private, 'renew-till')`
			`if self.strict_checking:`
			`- self.assertElementEqual(ticket_private, 'caddr', [])`
			`+ self.assertElementMissing(ticket_private, 'caddr')`
			`if expect_pac is not None:`
			`if expect_pac:`
			`self.assertElementPresent(ticket_private,`
			`@@ -2988,7 +2993,7 @@ class RawKerberosTest(TestCaseInTempDir):`
			`self.assertElementEqualPrincipal(encpart_private, 'sname',`
			`expected_sname)`
			`if self.strict_checking:`
			`- self.assertElementEqual(encpart_private, 'caddr', [])`
			`+ self.assertElementMissing(encpart_private, 'caddr')`

			`sent_pac_options = self.get_sent_pac_options(kdc_exchange_dict)`

			`@@ -3441,6 +3446,13 @@ class RawKerberosTest(TestCaseInTempDir):`
			`kcrypto.Enctype.AES128}:`
			`expected_patypes += (PADATA_ETYPE_INFO2,)`

			`+ preauth_key = kdc_exchange_dict['preauth_key']`
			`+ if preauth_key.etype == kcrypto.Enctype.RC4 and rep_padata is None:`
			`+ rep_padata = ()`
			`+ elif rep_msg_type == KRB_TGS_REP:`
			`+ if expected_patypes == () and rep_padata is None:`
			`+ rep_padata = ()`
			`+`
			`if not self.strict_checking and rep_padata is None:`
			`rep_padata = ()`

			`--`
			`2.34.1`